Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus maleware or both causing problems


  • Please log in to reply
9 replies to this topic

#1 boat290

boat290

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 12 November 2009 - 08:18 PM

Hi

I am being redirected every time when attepmting to go to, or use web sites. I am using Internet Explorer. I had similar problems about six months ago that I don't think were really solved. I have been running Ad-Aware every day for the last several months and it found the same two Trojans, quarantines them, just to have them reappear upon reboot. The new redirect problem started about a week ago.

I have had, but been unable to access until a couple of days ago, Spybot Search and Destroy as well as Malewarebytes. The current problem has forced me to find the way to access these programs within my computer. For the last six months I haven't been able to update them, then couldn't access them at all. I have run Malwarebytes several times over the last few days and it always finds problems, but the redirect problem remains.

I have Hijack This, and have run it a few times over the last few days but I don't have the ability to understand what it's telling me. Further I have not done anything to change or delete any files that appear in the Hijack This log.

At this point I am unable to access sites on the internet (I own a business and need access to certain web sites). Can you help????

Thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 12 November 2009 - 11:27 PM

Hello avoid using HJT on your own.
Let's do this.
EDIT>>
We need to disable Spybot S&D's "TeaTimer" if running
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 12 November 2009 - 11:29 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 boat290

boat290
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 13 November 2009 - 08:07 PM

OK I've gone through and executed your process. There were a few bumps but I got through it in the sequence you wanted more or less. The Rkill program didn't seem to be working (or downloading) correctly so I did your process 4 or 5 times. I did get the black DOS screen but then I repeatedly was booted off the internet and couldn't get back on - to utilize your links to Rkill within your post. Ultimatly I just rebooted after running (I think) Rkill and then was able to run MBAM.

The next slow up was after downloading and setting up ATF and SAS you wanted me to reboot in safe mode. I couldn't. I got a blue screen w/ "A problem has been detected and Windows has been shut down..."etc. etc. I will relay the entire message if you'd like. I have seen this type of screen fairly often over the last several months when I shut down my computer as I've known that the last virus was not totally removed. Should I be concerned about this type of message? Anyway I rebooted in regular mode and proceeded with things.

At first blush it seems that I am now able to access the internet and get on to web sites without being redirected. You're plan seems to have hit the target which is awesome. Should anything else be done?

Here is the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/13/2009 at 06:59 PM

Application Version : 4.30.1004

Core Rules Database Version : 4270
Trace Rules Database Version: 2153

Scan type : Complete Scan
Total Scan Time : 00:38:21

Memory items scanned : 689
Memory threats detected : 0
Registry items scanned : 5958
Registry threats detected : 0
File items scanned : 60409
File threats detected : 23

Trojan.Agent/Gen-PEC
C:\COMBOFIX\PEV.CFEXE
C:\COMBOFIX\PEV.EXE

Trojan.Agent/Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP312\A0052973.EXE

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP312\A0053004.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP312\A0053005.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP312\A0053028.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP312\A0053029.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP312\A0053030.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP312\A0053031.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP312\A0053043.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0053073.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0053074.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0053077.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\A0053158.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP315\A0053222.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP316\A0053261.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP316\A0053443.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP316\A0053444.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP316\A0053451.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP316\A0053533.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP316\A0053534.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP316\A0053547.DLL

Trojan.Agent/Gen-FakeAlert[Calc]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP316\A0053461.DLL

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 14 November 2009 - 03:24 PM

Hello. Ok we look better. Was combofix recently run?
We still need to do another scan and then we will clean out those "System Restore" malwares.
How is it running now and can you now boot to safe Mode?


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 boat290

boat290
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 16 November 2009 - 08:33 PM

Hi boopme

Thanks for your assistance, my computer is running much better and I'm not being redirected everywhere.

Good catch of the details by asking if I can reboot in safe mode. I can't. I get the blue screen with "A problem has been detected and Windows has been shut down...". I bet it isn't a good idea to leave it this way. I can boot up in normal mode no problem though.

Here is the log from the Quick scan with MBAM that was the last thing you had me do.

Malwarebytes' Anti-Malware 1.41
Database version: 3183
Windows 5.1.2600 Service Pack 2

11/16/2009 6:55:05 PM
mbam-log-2009-11-16 (18-55-05).txt

Scan type: Quick Scan
Objects scanned: 155730
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 17 November 2009 - 11:18 AM

Ok, I want to run another it will be long.
Also is comboFix still installed you did not answer that?

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 AMWelsh

AMWelsh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 21 November 2009 - 09:12 AM

Dear bootme (or anyone else who might have any ideas on this),

I am pretty much of a computer illiterate, but I think Imight have the same problem as boat290.

Today, after installing an mp3 download manager from mp3fiesta.com (which can be downloaded from here -- http://www.mp3fiesta.com/downloadmanager/setup.exe -- I almost immediately got a message from SUPERAntiSpyware.

I never had any problems with this application before, but this was an upgrade. (It's from one of those Russian [I think] music sites, a spawm, of sorts, of AllofMp3, on which one can download entire albums for $0.50 or so.)

After I scanned using SUPERAntiSpyware, I got this:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/21/2009 at 02:08 AM

Application Version : 4.30.1004

Core Rules Database Version : 4300
Trace Rules Database Version: 2170

Scan type : Quick Scan
Total Scan Time : 00:10:46

Memory items scanned : 849
Memory threats detected : 0
Registry items scanned : 556
Registry threats detected : 0
File items scanned : 8893
File threats detected : 2

Trojan.Agent/Gen-Nullo[Short]
C:\WINDOWS\SYSTEM32\NETSETUP.EXE
C:\WINDOWS\SYSTEM32\WEXTRACT.EXE

I scanned using Malwares' Anti-Malware and got these results:

Malwarebytes' Anti-Malware 1.41
Database version: 3205
Windows 5.1.2600 Service Pack 3

11/21/2009 2:34:36 AM
mbam-log-2009-11-21 (02-34-36).txt

Scan type: Quick Scan
Objects scanned: 116184
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I also used Malwares' Anti-Malware to scan the individual files singled out by SUPERAntiSpyware;

C:\WINDOWS\SYSTEM32\NETSETUP.EXE
C:\WINDOWS\SYSTEM32\WEXTRACT.EXE

Again, the files were, in effect, declared "clean."

I also scanned the two files with McAfee; no viruses or spyware were detected.

Malwares' Anti-Malware has ALWAYS caught any problems before, even those not caught by McAfee. So I don't know if the results from SUPERAntiSpyware are correct or a "false positive."

When I checked the "modified" and "created" dates for the two files, the dates were April 14, 2009.

My questions are:

1) I did what SUPERAntiSpyware told me to do, which was quarantine and remove the files? Was that a mistake

2) Are these application files important? What do they DO? What would happen (or not happen) now that I have deleted them? Can I download these files from somewhere else?

3) Should I follow the instructions you gave above, Nov 17 2009, 11:18 AM, in Post #6 (http://www.bleepingcomputer.com/forums/index.php?showtopic=271072&view=findpost&p=1502999)

My computer IS running slow at start-up, though that has been a problem for awhite, but I'm not having problems with internet access,

Please, any help would be appreciated.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 21 November 2009 - 10:16 AM

My questions are:

1) I did what SUPERAntiSpyware told me to do, which was quarantine and remove the files? Was that a mistake
No... Files in quarantine can no longer harm the PC.

2) Are these application files important? What do they DO? What would happen (or not happen) now that I have deleted them? Can I download these files from somewhere else?

Did you DELETE or are they in quarantine. Quarantine is used as I said so y=the file cannot harm the pC. Yet they are there so that if they are important to the stable operation of the machine they can be retrieved.

3) Should I follow the instructions you gave above, Nov 17 2009, 11:18 AM, in Post #6 (http://www.bleepingcomputer.com/forums/index.php?showtopic=271072&view=findpost&p=1502999)

may as well run, it can do no harm while you are here. It will need a couple hours.

My computer IS running slow at start-up, though that has been a problem for awhile, but I'm not having problems with internet access,
You look quite clean.. Some slowness occurs after running tools as... they adjust the registry.. clear all Temp and cookis.. watch for a day to see if it picks up as you revisit your usual sites,
I suspect SUPER jumped on the program as it is asking for access and that's what these tools watch for alot.

Edited by boopme, 21 November 2009 - 10:16 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 AMWelsh

AMWelsh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 21 November 2009 - 12:46 PM

Dear boopme,

After quarantining, via SUPERAntiSpyware , those files I listed above,

C:\WINDOWS\SYSTEM32\NETSETUP.EXE
C:\WINDOWS\SYSTEM32\WEXTRACT.EXE


I rebooted by computer and ran SUPERAntiSpyware again. This is the log (I deleted from the copy below the list of tracking cookies.)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/21/2009 at 08:02 AM

Application Version : 4.30.1004

Core Rules Database Version : 4300
Trace Rules Database Version: 2170

Scan type : Complete Scan
Total Scan Time : 00:57:36

Memory items scanned : 863
Memory threats detected : 0
Registry items scanned : 6893
Registry threats detected : 0
File items scanned : 33925
File threats detected : 9


Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP131\A0081596.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP131\A0081610.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP71\A0044667.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP71\A0044668.EXE


Apparently that little sucker has metastasized. I again quarantined these files and my computer wants to reboot, which I will do as soon as I am done with this.

Clearly, this Trojan virus has now infected my System Volume Information folder, a hidden system folder that the System Restore tool uses to store its information and restore points. This, in turn, can rapidly destroy all my “Restore” points.

I downloaded the Dr.Web CureIt! (from a Russian site!!!)

Please don't take this personally, but are you sure this program is safe? Have you used it?

And...do I HAVE to go into safe mode to run Dr.Web CureIt! Can I run it in Normal mode? (I’m asking because I have a HUGE project due on Monday and need every minute on my computer that is available in a 24 hour day.

Will check back in a couple of hours.

Also, for anyone else who may have this problem, I found the info below @ WikiAnswers:
http://wiki.answers.com/Q/How_do_you_delet...ion_restore_EXE

Q. How do you delete the virus on C System Volume Information restore EXE?

A. WikiAnswers contributors share some tips:


*** All Trojan horses are hidden files so you would need to go to the Files Option (click the View tab) on the Control Panel and uncheck both the *Hide file extension for known file types & *Hide protected operating system files (Recommended)-boxes, then OK yourself out.

You will then need to restart your computer and go into Safe Mode by holding the F8 key down (kind of at the beginning of bootup). When you're at the Desktop screen go to Start/ Search/ For Files and Folders and type up the NAME OF THE FILE & EXT (not PSW.Briss.C) but the actual name of the file, which would have shown up on your Anti-Virus software. You can delete this file from here, also make sure to empty your Recycle Bin.

I have had 4 Trojan horses on my C drive and kinda figured out the above method a week ago. I deleted the Temp file (as these keep putting the same files back into your system) from the Restore folder after unchecking the hidden files boxes, then went to Safe Mode to delete what virus files that were still there. My computer is now absolutely FREE of these pests!

I also have AVG 6.0 (the free one) & also the Ad-aware 6 and I use them every day as my kids love to play games from the Internet.

*** I have Windows XP. This worked for me:

Open Control Panel Tools Folder Options View Uncheck "Hide protected operating system files" OK Start Search Files and Folders Enter all or part of trojan file. Search Right click file when found Delete Empty Recycle Bin.

*** Your virus scanner may not be able to access the folder because it does not have permission to do so. See this article for info on how to gain access to the System Volume Information folder: http://support.microsoft.com/default.aspx?...B;en-us;q309531.

*** I am running Windows XP Pro (build 2600) w/SP2 and on this system I am running Avast AntiVirus 4.5 Home Edition ( I alternate between this and Avast Professional when I reformat, which is 2x a year). This is an exceptional program as well as its brother Avast Professional 4.5, upon a daily scan the Home version found this: C:\System Volume Information\_restore{992476EB-89EC-4BBA-ACF9-063EFCB49378}\RP35\A0003426.exe Avast 4.5 Home Edition found and deleted this file, however to be sure I went ahead and did the following: Restart/Safe Mode/Administrator/Desktop/Start/Control Panel/Tools/View/Uncheck both 'hide extensions for known file types' and 'hide protected Operating System files (recommended)' click 'apply' then select 'ok' move towards start/search/all files and folders/*A0003426.exe search yielded nothing after Avast had initially deleted the file in 'normal' startup. I ran Avast Antivirus while in safe mode and it came back after scanning the SVI Folder with clean results. Replaced the checkmarks back into the "hide extensions for known file types" and "hide protected Operating System files (recommended)", applied and ok'd, restarted and re-entered normal start-up. Since I was still bored I re-scanned in normal mode and again Avast found nothing. Well the bottom line is that I didn't have to do much other than carry out this exercise for when I may need to do so again and really have to work. Avast did most if not all the work for me from the get-go.


And, finally, another suggestion for people with the same problem: Do go to the Microsoft site to learn how to gain access to your System Information folder. Go here: http://support.microsoft.com/kb/309531

Again, thanks for your help.

Anne

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 22 November 2009 - 08:25 PM

Hello. DrWeb is totally legit . I use it here and on my equpment.
Ok I wanted to see if they recurr once more from System Restore.. I usually like to clear those last as I prefer having an infected restore point than none while cleaning, But yes it's time to pull them.. I have a tutorial for this so I will post. Rescan again after this.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users